PHP Web Security - From Exploitation to Correction

This workshop will lead the participant to experiment with the different risks of programming in PHP with practical examples executed in a simulated environment. All of this workshop's information will be transmitted with an emphasis on the impact of an attack, because each vulnerability will be exploited. The final goal is to learn how to break and fix a PHP Web application in today's reality.

The target attendee is a PHP developer that is not already aware of security methods and/or want to have an overview of the attacker's perspective.

By the end of the training, the participant will be able to understand the mechanics of a real attack, to identify the flawed code, to evaluate the impact and to apply the necessary corrections.

Covered Topics

In the form of a workshop, each part is an exercise for the participants with custom examples in PHP, Drupal, Symfony and Zend.

Introduction to security

Injection principles

Tools and testing methods

Find and correct vulnerabilities
The following steps will be iterative over multiple examples according to the preferences of participants:

Flaw: Finding and understanding

Attack: Guided exploitation of found vulnerability

Solution: Secure application principles and correction

Verification: Validation test of the corrected vulnerability

Conclusion on acquired knowledge

The training includes a Linux Live CD (DVD, USB or ISO file) that contains the testing environment, tools, examples and solutions.

Requirements: a laptop with a DVD drive, USB port or a virtualization solution (VirtualBox is recommended).

Jonathan Marcil

Jonathan likes being involved in many communities events and in ConFoo, he keeps track of security related talks and OWASP visibility. His main occupation is consulting in Web security, but deep down he is a developer with a agnostic vision of programming languages. He has a diploma in Software Engineering from Ecole de Technologie Superieure and more than 10 years of experience in Information Technology and Security.